[Gllug] Xen and iptables problem

Bruce Richardson itsbruce at workshy.org
Fri Jan 5 16:05:57 UTC 2007


On Fri, Jan 05, 2007 at 02:42:59PM +0000, - wrote:
> 
> Actually, I forgot to mention in the original post that this is purely
> in Dom0. At the moment, all I want is to be able to do DNS lookups
> from Dom0 (as a first step to getting "yum update" to work). If I can
> get that much working, then the rest should fall into place. I can get
> incoming traffic to Dom0 working (e.g., ssh), but all outbound TCP
> traffic has the SYN/ACK reply blocked by iptables, for reasons that I
> just can't understand.

I did read somewhere that you can see problems with corrupted checksums
on ip packets in some circimstances and that this can be fixed by
turning off TX pause.  Be sure to do that for eth0 and not peth0.

My personal policy is never to configure an interface for dom0 on any
nic or bridge that is being used by the domU domains, so I don't need
the eth/peth bollocks that the xen networking scripts set up; I disable
it and configure a set of static bridges.  This means that dom0 cannot
route to the Internet via the Net-facing nic and has to use a separate
physical interface, shared with none of the domU domains, which connects
it to a separate network; if that network has a route to the Net, it can
connect out that way.  This does mean that in some circumstances a box
will be routing to the Net by going out one physical interface, through
a switch and back in again on another physical interface, through a domU
firewall and out yet another physical interface.  It may sound more
complicated but it's also more secure and as a side effect it would mean
that the problem you are seeing would simply not occur.

-- 
Bruce

I see a mouse.  Where?  There, on the stair.  And its clumsy wooden
footwear makes it easy to trap and kill.  -- Harry Hill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20070105/3fc451b1/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list